ClawHub

Auth Guard

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real authorization-helper skill, but its security guarantees are overstated and several implementation choices could let users rely on protection that is not actually enforced.

Treat this as a Review item, not confirmed malware. Install only if you understand that it is an opt-in wrapper, not a universal API firewall. Keep STRICT mode enabled, do not let agents run the approve command or write decision files, replace the placeholder API key, restrict permissions on ~/.auth_guard, use only trusted webhook destinations, avoid sending sensitive payloads in notifications, and review or modify the installer so it does not overwrite existing configuration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documents capabilities that read/write local files, make network requests, and run a local authorization service, but it declares no permissions. This is dangerous because operators or automated vetting may trust the metadata and install or invoke a skill without understanding that it can transmit data, persist logs/configuration, and alter local security posture.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill claims that all external API operations require explicit user authorization and that user instructions are the sole highest priority, yet its documented behavior allows bypass paths such as AUDIT mode, WHITELIST auto-approval, and disabling the guard. In a security control, this mismatch is dangerous because users may rely on the skill as an uncompromising enforcement layer when in fact it can silently degrade into monitoring-only or partially automatic approval behavior.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
`verify_token` unconditionally returns `{"valid": True}` for any supplied token, so any caller can present an arbitrary string and be treated as authorized. In a skill whose purpose is to gate external API actions behind explicit user approval, this completely defeats the security boundary and enables unauthorized operations.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
`revoke_token` always returns `True` but performs no state change, so previously issued tokens remain usable even after an attempted revocation. This creates a false sense of control and can allow continued unauthorized access after compromise, policy change, or user withdrawal of consent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The status command prints the first 16 characters of the configured API key directly to the terminal. Even partial secret disclosure is unnecessary for this skill’s authorization purpose and can leak sensitive material via shell history, terminal logs, screenshots, or shared sessions, weakening secret confidentiality and aiding correlation or targeted abuse.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The config show command outputs the entire configuration file, which likely includes security-sensitive settings such as API keys, notification endpoints, and operational controls. In an auth-guard skill, exposing full security configuration is especially dangerous because it undermines the very protection layer the tool is meant to enforce and can enable bypass or secondary compromise.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The installer prepares outbound network capability by installing the requests library and instructing the user to configure a Feishu webhook, which expands the skill beyond a minimal local authorization guard. In the context of a security layer whose stated purpose is preventing unauthorized external API use, adding notification/webhook infrastructure increases attack surface and creates a path for data egress or policy bypass if later components misuse it.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Installing network dependencies and steering users toward external webhook configuration is not clearly necessary for an authorization-enforcement component, so it violates least functionality. For a high-priority guard skill, unnecessary external integration is more dangerous because users may trust it as protective while it quietly introduces new communications channels.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This finding describes the same underlying issue as the secret exposure at line 27: the CLI reveals part of the API key without a compelling operational need. Partial masking does not eliminate risk when the value is still sensitive and can be captured from terminal output or logs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer copies example configuration files directly into user paths without checking whether files already exist, which can overwrite prior settings and security controls. This is dangerous because it may silently replace hardened configuration, reset safe defaults, or redirect future behavior toward new external endpoints such as a webhook.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal